CVE-2024-1597
SQL Injection vulnerability in postgresql (Maven)
What is CVE-2024-1597 About?
This vulnerability is a SQL injection flaw in the PostgreSQL JDBC driver when using the non-default `preferQueryMode=simple` connection property. Attackers can exploit specific SQL query patterns combined with controled numeric and string parameters to inject arbitrary SQL, potentially leading to data manipulation or unauthorized access. Exploitation requires specific conditions to be met in the application's SQL code and user-controlled input, making it moderately complex to achieve.
Affected Software
- org.postgresql:postgresql
- >42.5.0, <42.5.5
- <42.2.8
- <42.2.28
- >42.3.0, <42.3.9
- >42.4.0, <42.4.4
- >42.7.0, <42.7.2
- >42.6.0, <42.6.1
Technical Details
The vulnerability arises in the simple query mode of the PostgreSQL JDBC driver when a placeholder for a numeric value is immediately preceded by a minus sign (-) and followed by a placeholder for a string value on the same line. If both parameters are user-controlled, the driver's prior behavior would inline the negative numeric value, causing the resulting string to be interpreted as a -- SQL comment. This comment would extend to the subsequent string parameter, consuming its quotes and allowing its contents to be injected unescaped into the SQL query, including newlines. This effectively bypasses intended SQL statement boundaries, enabling the injection of arbitrary SQL commands, whereas the default extended query mode sends parameters separately and is unaffected.
What is the Impact of CVE-2024-1597?
Successful exploitation may allow attackers to execute arbitrary SQL commands, modify database contents, disclose sensitive information, or bypass authentication.
What is the Exploitability of CVE-2024-1597?
Exploitation of this vulnerability is moderately complex, requiring specific conditions to be met in the application's SQL code and user input. Prerequisites include the use of the non-default preferQueryMode=simple connection property and a vulnerable SQL query pattern where a numeric placeholder prefixed by a minus sign is followed by a string placeholder on the same line. Both parameters must be user-controlled. No authentication or specific privileges beyond submitting crafted input are inherently required. This is typically a remote vulnerability, exploitable by crafting malicious input to an application using the affected driver. The likelihood of exploitation increases if applications widely use the simple query mode and construct dynamic SQL with user-controlled parameters in the described vulnerable pattern.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-1597?
About the Fix from Resolved Security
This patch ensures parameter values are always individually wrapped in parentheses and cast to their expected types, preventing user-controlled input from altering SQL expression structure. By forcing each parameter to be interpreted in the intended context, the patch eliminates an SQL injection vector described in CVE-2024-1597, where certain crafted parameter values could escape their context and change SQL semantics.
Available Upgrade Options
- org.postgresql:postgresql
- <42.2.8 → Upgrade to 42.2.8
- org.postgresql:postgresql
- <42.2.28 → Upgrade to 42.2.28
- org.postgresql:postgresql
- >42.3.0, <42.3.9 → Upgrade to 42.3.9
- org.postgresql:postgresql
- >42.4.0, <42.4.4 → Upgrade to 42.4.4
- org.postgresql:postgresql
- >42.5.0, <42.5.5 → Upgrade to 42.5.5
- org.postgresql:postgresql
- >42.6.0, <42.6.1 → Upgrade to 42.6.1
- org.postgresql:postgresql
- >42.7.0, <42.7.2 → Upgrade to 42.7.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pgjdbc/pgjdbc/commit/93b0fcb2711d9c1e3a2a03134369738a02a58b40
- http://www.openwall.com/lists/oss-security/2024/04/02/6
- https://www.enterprisedb.com/docs/jdbc_connector/latest/01_jdbc_rel_notes/
- https://github.com/pgjdbc/pgjdbc
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TZQTSMESZD2RJ5XBPSXH3TIQVUW5DIUU/
- https://www.enterprisedb.com/docs/security/assessments/cve-2024-1597/
- http://www.openwall.com/lists/oss-security/2024/04/02/6
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TZQTSMESZD2RJ5XBPSXH3TIQVUW5DIUU
- https://security.netapp.com/advisory/ntap-20240419-0008/
- https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56
What are Similar Vulnerabilities to CVE-2024-1597?
Similar Vulnerabilities: CVE-2023-52428 , CVE-2024-12909 , CVE-2022-21448 , CVE-2021-39225 , CVE-2020-1941
